Policy | Security | Investigation

corporate

August 07, 2010

E-discovery and e-investigations involve ever-growing quantities of legal records . . . oceans of records. To sift and understand these oceans, we need new tools.

Two such tools are crowdsourcing and sentiment analysis.

Crowdsourcing can employ an army of virtual workers to analyze massive numbers of records like emails. CrowdFlower will demonstrate this application of crowdsourcing at the SANS Institute’s E-Records Summit in September.

Sentiment analysis uses linguistic software to glean the intent or attitude of people expressed in large numbers of records, such as text messages or Twitter tweets.

Tools like crowdsourcing and sentiment analysis are little known in legal circles. How can courts, lawyers and investigators gain experience? How can they evaluate these new tools and learn their uses?

I suggest those tools (and others) be incorporated into computer games. In the Information Age, games and simulations are assuming a larger role in education, training and dispute resolution. For example, managers at healthcare providers learn how to cope with adversity, such as employee termination, through computer-aided simulation.

Lawyers, law students and even courtroom judges can play computer games for the serious purpose of evaluating evidence, testing arguments and ascertaining what the outcome of litigation should be. Computer games can be quicker, more insightful and less expensive than the traditional form of litigation simulation, i.e., mock trial.

I can imagine lawyer computer games including tools like crowdsourcing and sentiment analysis.

Imagine that a law firm is defending an age discrimination lawsuit involving 3 million electronic mail records at a corporation. To assess those records and develop strategy, the law firm could play games with them. It could feed the records into a computer game that uses crowdsourcing, sentiment analysis and the like to test and search the records under different standards and scenarios. The firm might, for example, learn that sentiment analysis reveals an overall executive desire to comply with employment laws, even though a few “stray remarks” use impolitic language to discuss older workers. Alternatively, the firm might discover that a thorough review of the emails, by hundreds of reviewers, reveals a management culture at the corporation that is insensitive to rights of older employees. (See Efrati and Koppel, “Google is set back in age-bias case in ruling with broad implications,” Wall Street Journal, August 6, 2010.)

Either way, the law firm is better able to advise and represent its corporate client.

The law industry is slow to recognize new methods. As inventors like CrowdFlower develop innovations for the industry, computer games can publicize those innovations and teach lawyers and investigators to think differently.

In good part, the electronic funds transfer (EFT) relationship between a bank and its business (commercial) customer is governed by Uniform Commercial Code Article 4A. What are the rules when an unidentified computer thief wires money out of a businesses account? This chart summarizes what Article 4A says on the topic.

Following is an article I published in 1993, where I argued that UCC 4A properly balanced the interests of banks and their business customers. I’ve edited the only slightly from what I wrote in 1993.

The rash of stories that Krebs is publicizing is unprecedented in the 20-some-odd-year history of UCC 4A. In light of this rash, I am re-evaluating what I wrote in 1993. Notice that the hypothetical case I discussed below involved $5 million, whereas the cases Krebs exposes involve only tens or hundreds of thousands of dollars. The corporate victims of today's heist are less able to acquire expertise in IT security.

I’m not finished with my re-evaluation, but here's what I wrote . . .

UCC 4A's Delicate Balance

Hypothetical Question: Suppose a precocious 17-year-old uses her PC to send an electronic payment order to bank, relieves a corporate bank of $5 million, and vanishes with the cash. Neither the bank nor the corporate customer knows who committed the crime or how. Who should eat the loss . . .

February 06, 2010

Litigants by their nature are in search of advantage over their adversaries. In this computer age, new tools for advantage emerge every day.

An intriguing discipline that could yield new tools is linguistic analysis, especially sentiment analytics. A company named Jodange searches vast quantities of text in social media (Twitter, Facebook, LinkedIn, Yelp, online dating sites) to ascertain the opinion (the sentiment) of thought leaders or interest groups. It employs computer-driven algorithms to analyze, for instance, the compositional semantics within text (e.g., tweets on Twitter) to glean what, say, US consumers think of brand X.

For sentiment analytics, I see a promising application in what we lawyers call "eDiscovery." eDiscovery is a rapidly growing field, where much money is at stake. eDiscovery includes the collection and review of vast quantities of data (especially email) in a lawsuit or investigation. A business or government lawsuit can involve tens of millions of emails -- too many to read and understand one-by-one. Linguistic analysis, and sentiment analytics, could be valuable to a litigant seeking e-Discovery (EDD) advantage.

Intent Influences Legal Results

Why do I think sentiment analytics could be especially relevant to a lawsuit? The reason is that very often legal liability or outcome depends on the “intent” of a person or an enterprise. For example, to commit a crime a defendant must usually intend to do something wrong. No intent, no crime.

In complex criminal cases, like one against a corporate defendant, the defendant strives to show that it had no intent to behave badly or break the law.

To deduce the intent of people or entities from large numbers of communications such as e-mails is not easy for a jury or a judge. Sentiment analytics could help. Just as it can help interpret the opinion of 20,000 consumers, it could help answer questions like, what was the corporation thinking, what did it mean to do, what was its intention?

Example in a Lawsuit

I imagine this kind of argument being made by an antitrust defendant in court: “Sentiment analytics of four million emails within ABC Corporation reveals that neither the company, its staff nor its leadership had a plan, desire or intention to fix prices, to conspire with competitors or to otherwise violate the antitrust laws.” Presented correctly, that kind of argument could be powerful, and could open a new chapter in American jurisprudence.

The cases to which sentiment analytics applies need not necessarily involve extremely large numbers of messages. Sentiment analytics might be useful for interpreting, say, a few hundred messages in a child custody battle or the augmented reality advertisements broadcast to the patrons of a restaurant during a particular week.

Investigators -- whether they be courts, auditors or regulatory authorities -- need new tools. Linguistic analysis tools could help any kind of investigator make sense of voluminous electronic evidence.

IT Administrators

Twitter

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.